Submit manuscript...
eISSN: 2576-4500

Aeronautics and Aerospace Open Access Journal

Technical Paper Volume 3 Issue 3

A trust verification strategy for autonomous control system in launch site

Litian Xiao, Mengyuan Li, Kewen Hou, Fei Wang, Yuliang Li

Beijing Special Engineering Design and Research Institute, China

Correspondence: Litian Xiao, Beijing Special Engineering Design and Research Institute, Beijing 10028, China, Tel 86-10-56253387

Received: August 21, 2019 | Published: September 13, 2019

Citation: Xiao L, Li M, Hou K, et al. A trust verification strategy for autonomous control system in launch site. Aeron Aero Open Access J. 2019;3(3):127-132. DOI: 10.15406/aaoaj.2019.03.00090

Download PDF

Abstract

The control system at the launch site has gradually started providing unattended autonomous control during the flight mission. The autonomous control system is very important to autonomous control for ground facilities and equipment in space launch. Even if the autonomous control system has been tested, there is still no very effective method to ensure the trusted operation of the autonomous system. We propose a strategy for the trusted operation and verification of autonomous control system. Based on the state transition model of the control system, the trust verification of autonomous control system ensures the trusted operation of autonomous control. This verification is set up in the intelligent support system of the host computer, which makes lightweight for verification calculation in the control system. Trust verification strategy is the trusted stamp and the verification protocol. The state transferring of each module inside each controller is stamped by the stamping module embedded in PLC. The control output set includes the state stamps and is sent to the intelligent support system. The control verification module of the intelligent support system verifies the correction of autonomous control. The trusted state transferring is used to ensure the credibility of the autonomous operation. The paper analyzes the strategy’s security under environmental impact as well as independent and joint attack. The strategy is applied to a prototype system. It illustrates the feasibility of the strategy at launch site.

Keywords: launch site, autonomous control system, trust verification, trusted stamp, verification protocol

Introduction

At present, the autonomous control of the control system is more and more widely used in the ground facilities of the launch site. Programmable Logic Controller is a kind of embedded system in the autonomous control system. The controller’s trusted operation is vital to this kind of safety-critical applications, especially in space launch missions. Conceptually, the trusted goal of the control system is to propose a running entity that can perform a special action surpassed the preset security rules, and how to verify the entity. Therefore, we need to first ensure that the software and hardware systems can be quantified and verified by calculation. The critical core of a trusted system is trusted computing. At present, the trusted control system platform is mainly considered the security issues from the perspective of security architecture. The security of the user’s operating environment is ensured by the passive defense (i.e. security patching). We are committed to ensuring trusted operation and verifiability for autonomous control systems at the space launch sites. The paper analyzes the state change and transmitting of the control system, and proposes a trust verification strategy for the autonomous control system in launch site. Based on the proposed strategy, the security mechanism and the processes are set up by the critical elements for verifying the trusted autonomous operation. Once the trusted problem is verified, the problem is submitted to the fault handling module to analyze and deal with the autonomous control system. So the strategy ensures the operation reliability and security of the whole autonomous control system.

Related work

Control system architecture

The control objects of the ground facilities and the equipment control system at the launch site include pendulum bars, launch tower platforms, propellant refueling stations, gas supplies, air conditioners, fire protection devices, cranes, aim windows, gas alarms, moving towers, etc. A general control system for the launch site can be described by a state-transfer model.1,2

The control system receives and processes the various sensor signals from the controlled devices. These sensor signals (Sigsen) include analog signals (AI) and digital signals (DI), e.g., the signals from coders (Cod), location detectors (Loc), operation inductors (Opt), and moving sensors (Mov). They are converted and stored in the data input port (PI) by analog-to-digital (A/D) and digital-to-analog (D/A) convertors. The sensor signal set is

Sigsen = {AICod, AILoc, AIOpt, AIMov…, DICod, DILoc, DIOpt, DIMov…}; PISigsen.

According to the control logic, initial configuration, task, and interrupt, the control program processes and responds to the port data. Then, it updates the system configuration (V) and provides the corresponding control data to the data output port. After A/D or D/A conversion, the control data are converted to analog signals or digital drive ones (AO or DO) for moving the drive mechanisms such as relays, valves, transmissions, etc. Finally, real-time control is achieved, i.e.,

Sigdrv = {AORly, AOValv, AOTrans, …, DORly, DOValv, DOTrans,…}; POSigdrv.

The control system is constructed using components shown in Figure 1. The figure describes the work pattern and system model of the control system. A control system can be composed of multiple controllers, and the controller’s system features are decided by {PI, V, PO}, i.e., the controller’s action is controlled by its input, output, and configuration.3

The control system at the launch site has gradually started providing unattended autonomous control during the flight mission. The control system for ground equipment plays an important role in ensuring accurate and reliable control of each system, and in completing the test preparation, propellant refueling, and launching. Because of the limited resources of the field control systems, verifying the accuracy of autonomous control is not completely possible, which may result in security risks.

Intelligent support must make system-performance forecasts when the critical equipment control performance has changed. It must have simple and convenient maintenance procedures and must ensure and must ensure that the system is always in a good condition. In the event of a sudden control fault, it must make a rapid and accurate diagnosis, and based on the location, provide countermeasures on how to handle the situation appropriately. It must maintain control safety and reliability during the mission. These requirements can be met by constructing an intelligent support architecture with remote monitoring, control verification, fault diagnosis, and prediction. Intelligent support needs to provide work capabilities under multi-mission and multi-field scenarios. The designed remote intelligent support architecture for the ground equipment at the launch site is shown in Figure 2. The architecture is divided into two levels: field level and launch-site level.

Figure 1 Work pattern and system model of control system.

Figure 2 Remote intelligent support architecture.

Field level

The control system for ground equipment is distributed at the launch site. Usually, the control system completes the control tasks independently, according to the task flow. Operators can operate the system through close control. In the case of intelligent autonomous control, the field will consume more computing resources. Field verification of whether autonomous control is correct or not requires the deployment of additional resources. These will cause field-resource strains and inconveniences in terms of the control equipment layout and maintenance. Field control systems become more complex. Therefore, the front-end of the automatic control system is set up to be lightweight, to simplify the field control system.

Launch-site level

This level is located at the command center of the launch site. Control verification verifies whether the front

Autonomous control is operating correctly or not. In the case of faults, the fault-diagnosis system automatically performs the diagnosis. Operators, technicians, and supervisors monitor the performance state of ground equipment in real-time, who can maintain system equipment and control programs. The level performs remote control in the case of abnormal situations and coordinates with remote experts for technical support and guidance. The hierarchical remote intelligent support system is briefly described as follows:

  1. The field level performs autonomous control.
  2. The launch-site level is for autonomous control verification and fault diagnosis.
  3. The long-range level provides intelligent technical support for front-end autonomous control faults and maintenance.

The intelligent support processes involved in the control task are shown in Figure 3. The architecture key is control verification.

Figure 3 Intelligent support processes in control task.

Trusted research of control system

Now, there are a few related papers and reports about the trusted research of control system. The research of the related trusted system is mainly focused on the network, trusted computing and related software and hardware.4‒11 For the trusted guarantee of the complex software system under the network environment, the main researchers are that establishing a new software technology hierarchy. In order to adopt the hierarchy transformation, they study software object, quality target, construction method, and operation support. The quality model of internet ware is established with the quality core. The trusted technology system is constructed by quality assurance. In the research and development of trusted computing, some scholars believe that trusted computing cannot solve all information security problems. Trusted computing technology is combined with other information security technologies in the trusted computing field. They hope that they effectively solve information security problems.

In the research of software trusted evolution management, it is considered that the nature of trusted evolution is a software modification process driven by user expectation deviation. It makes that the software system is gradually from a simple to complex and from the preliminary use to mature and credible process. In the evolution view, it studies how to improve the convergence speed and effect of software trusted evolution.

The researchers on the architecture and key technologies of trusted networks propose a possible control model for evaluating the enabling technologies of trusted networks. They analyze the credibility of the user behavior in the network access process corresponding to the control rights model. In the progress of trusted computing technology hardware, the software on the computing platform is measured by enhancing the hardware architecture of the existing open platform. The software on the platform can be ensured to operate as expected. In the control system field, the technical features of the trusted control system are integrated existing defensive measures. The researchers utilize the linkage mechanism between the inside firewall of control systems, the intrusion detection system and the trusted connection server. It can improve the overall defense and security capability of control systems,12,13 but it doesn’t have the trusted verification and cannot ensure the trusted operation.

The credible risks are very high in actual applications at the aerospace launch site. For example, the control system of propellant injection is a typical system. It requires monitoring of temperature, pressure, and flow velocity, valve opening size, etc. It involves each valve action sequences and time as well as pipeline pressures while controlling valve opening or opening size. If the control information is incorrect, the propellant injection system may cause leakage or tube burst and freezing. Its consequences are catastrophic. Certainly, measures have generally been taken for these keys in the control system. Some have adopted redundant or hot backup methods. Some have added monitoring points and fault handling software. Others are strict with the test inspection and control the identity of software users. But there is no trusted verification in control system, whether the state transmission can be trusted exists the risk on the information source and host as well as terminal. Therefore, the untrusted verified system exists risks on safe and reliable. Trusted computing or credibility verification has become the main issue in the field of information security. However, correlated trusted research lags behind the application needs in actual control systems. It still lacks typical solutions.

Trusted Elements in Control System

Based on the control system model,3 ensuring the trusted state transferring in the controller is the key to ensure the credibility of the autonomous operation.

Set M = < V, v0, PI, PO, RPI, PM>, where V is the finite-state set of nonempty configurations inside the controller, PI is the finite set of non-empty inputs, PO is the finite set of nonempty outputs, and RPI is the mapping set of an input subset. v0V, where v0 is the initial state of the control program.

RPIβ(PI) ∈{ri}, (i = 1,2,…), where β is the transform function set of confirmed generalized verification. β filters an input subset that is effective in handling state transform. ri is a subset of PI. PM describes the incomplete mapping of the control program.

PM(a, b): β(V) × β(PO) × RPI β(V) × β(PO), where aβ(V)×β(PO), bRPI. v0β(V)×β(PO).

There are n states inside a controller. Each state transform is decided by M. M is constructed by {M1, M2,…ML} inner states. It includes multiple states transferring labeled as φi (i=1,2,…n). Each M1 may have several φi. Likewise, the state transformations combined multiple controllers is the same as individual controller inner states. The controller is abstracted by its operation states from the configuration of a controller, e.g. it is showed in Figure 4. So the trusted elements of the controller include input/output interface, configuration transformation, state transferring and programmable components. The network interface is outside the scope of the controller. We embed trusted verification computation in the controller to verify each input/output and state transfer.

The model M of the example consists of four submodule Mi (i=1,2,3,4). φ={φ1, φ2, φ3, φ4}is the verified property, which φi (i=1,2,…4) is the state transferring property from the input set to output set. It needs to ensure that the transferring property is trusted from input to output. A group of submodule Mi transforms configuration according to transferring path. We utilize the principle of digital signatures based on Schnorr protocol.14 The module members are marked particular stamps for output and verified stamps for input.

Figure 4 State transferring diagram of controller.

The trusted stamp and the verification protocol

φ1, φ2, …φn are defined as n state transferring to a controller.

Generates a key pair

To choose two large prime p and q, q is the prime factor of p-1. According to Schnorr’s suggestion, it is chosen q≥2140 and p≥2512, and then the primitive a (a≠1) of rank q is chosen in GF(p) and satisfies aq ≡1 mod p.14 The one-way hash function HASH is chosen and makes function h→{0,1,…2t-1}. These numbers and the function are promulgated and shared by all state members Mj (j=1,2…L).

Each φi chooses the private key Ki which is defined as a random number less than q on GF(q). The public key is

Ui=a-Ki mod p (i=1,2,…n)                   (1)

Generates state stamp

Assumed that T is the scan period of a response in the controller, state transferring has the performance time Ti

(i=1,2,…n), where T=T1+T2+ … +Tn. The designed scan period should be abided, or else the design and Ti reset. T and Ti are the time mark of the system given to every member states. It requires that the submodule should finish their work and state transferring at the given times. When state stamp being calculated, the system automatically gets corresponding system unify-time for consistency. Every time Ti exists the differences in precise time because of different performances. The process of state stamp is designed as below that n states transferring to result f.

First, defined x0= aT (mod p). φi has choose the random number di on GF(q). Calculating

xi= xi-1 a-Ti adi (mod p) ,                   (2)

and xi is sent to the sub module Mj (j=1,2,…L) related φi. When j=L, ML send xn to PO.

Then assuming y0=0 and calculating is processed

e=h(xn, f),

yi= yi-1+(di+Kie) (mod q) (i=1,2,…n) ,                (3)

Finally, {f, e, yn} is sent to PO and verified. {f, e, yn} is the group state stamp of the result f signed by the state

transferring φ1, φ2,…, φn in the controller.

Verifying state stamp

The PO receives the group state stamp {f, e, yn}, and then verifies the whole stamp with the public key Ui of the state transferring. Calculating

x n = a y n ( i=1 n U i ) e ( mod p ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiqadIhagaqbam aaBaaaleaacaWGUbaabeaakiabg2da9iaadggadaahaaWcbeqaaiaa dMhadaWgaaadbaGaamOBaaqabaaaaOWaaeWaaeaadaqeWaqaaiaadw fadaWgaaWcbaGaamyAaaqabaaabaGaamyAaiabg2da9iaaigdaaeaa caWGUbaaniabg+GivdaakiaawIcacaGLPaaadaahaaWcbeqaaiaadw gaaaGcdaqadaqaaiGac2gacaGGVbGaaiizaabaaaaaaaaapeGaaiiO aiaadchaa8aacaGLOaGaayzkaaaaaa@4F6C@ (4)

then further verifying e=h(xn, f) whether or not comes into existence. If the verification equation comes into existence, the output is confirmed that the result is valid and can process the next performance. If the verification fails, the control system refuses the result.

The equation showed below is proved the validity of the state stamp scheme. Because it is based on (3) and (1), it has

x n = a y n ( i=1 n U i ) e ( modp )= a y n1 +( d n + k n e )( modq ) ( i=1 n1 U i ) e ( U n ) e ( modp ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiqadIhagaqbam aaBaaaleaacaWGUbaabeaakiabg2da9iaadggadaahaaWcbeqaaiaa dMhadaWgaaadbaGaamOBaaqabaaaaOWaaeWaaeaadaqeWaqaaiaadw fadaWgaaWcbaGaamyAaaqabaaabaGaamyAaiabg2da9iaaigdaaeaa caWGUbaaniabg+GivdaakiaawIcacaGLPaaadaahaaWcbeqaaiaadw gaaaGcdaqadaqaaiGac2gacaGGVbGaaiizaiaadchaaiaawIcacaGL PaaacqGH9aqpcaWGHbWaaWbaaSqabeaacaWG5bWaaSbaaWqaaiaad6 gacqGHsislcaaIXaaabeaaliabgUcaRmaabmaabaGaamizamaaBaaa meaacaWGUbaabeaaliabgUcaRiaadUgadaWgaaadbaGaamOBaaqaba WccaWGLbaacaGLOaGaayzkaaWaaeWaaeaaciGGTbGaai4Baiaacsga caWGXbaacaGLOaGaayzkaaaaaOGaeyyXIC9aaeWaaeaadaqeWaqaai aadwfadaWgaaWcbaGaamyAaaqabaaabaGaamyAaiabg2da9iaaigda aeaacaWGUbGaeyOeI0IaaGymaaqdcqGHpis1aaGccaGLOaGaayzkaa WaaWbaaSqabeaacaWGLbaaaOGaeyyXIC9aaeWaaeaacaWGvbWaaSba aSqaaiaad6gaaeqaaaGccaGLOaGaayzkaaWaaWbaaSqabeaacaWGLb aaaOWaaeWaaeaaciGGTbGaai4BaiaacsgacaWGWbaacaGLOaGaayzk aaaaaa@7C25@

= a y n1 a ( d n + k n e )( modq ) ( i=1 n1 U i ) e ( a k n ) e ( modp )= a y n1 ( i=1 n1 U i ) e ( a r n ) e ( modp ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiabg2da9iaadg gadaahaaWcbeqaaiaadMhadaWgaaadbaGaamOBaiabgkHiTiaaigda aeqaaaaakiabgwSixlaadggadaahaaWcbeqaamaabmaabaGaamizam aaBaaameaacaWGUbaabeaaliabgUcaRiaadUgadaWgaaadbaGaamOB aaqabaWccaWGLbaacaGLOaGaayzkaaWaaeWaaeaaciGGTbGaai4Bai aacsgacaWGXbaacaGLOaGaayzkaaaaaOGaeyyXIC9aaeWaaeaadaqe WaqaaiaadwfadaWgaaWcbaGaamyAaaqabaaabaGaamyAaiabg2da9i aaigdaaeaacaWGUbGaeyOeI0IaaGymaaqdcqGHpis1aaGccaGLOaGa ayzkaaWaaWbaaSqabeaacaWGLbaaaOGaeyyXIC9aaeWaaeaacaWGHb WaaWbaaSqabeaacqGHsislcaWGRbWaaSbaaWqaaiaad6gaaeqaaaaa aOGaayjkaiaawMcaamaaCaaaleqabaGaamyzaaaakmaabmaabaGaci yBaiaac+gacaGGKbGaamiCaaGaayjkaiaawMcaaiabg2da9iaadgga daahaaWcbeqaaiaadMhadaWgaaadbaGaamOBaiabgkHiTiaaigdaae qaaaaakiabgwSixpaabmaabaWaaebmaeaacaWGvbWaaSbaaSqaaiaa dMgaaeqaaaqaaiaadMgacqGH9aqpcaaIXaaabaGaamOBaiabgkHiTi aaigdaa0Gaey4dIunaaOGaayjkaiaawMcaamaaCaaaleqabaGaamyz aaaakiabgwSixpaabmaabaGaamyyamaaCaaaleqabaGaamOCamaaBa aameaacaWGUbaabeaaaaaakiaawIcacaGLPaaadaahaaWcbeqaaiaa dwgaaaGcdaqadaqaaiGac2gacaGGVbGaaiizaiaadchaaiaawIcaca GLPaaaaaa@8C46@

It can be obtained the below equation on the analogy of (3).

x n = a d n a d n1 .... a d 1 ( modp ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiqadIhagaqbam aaBaaaleaacaWGUbaabeaakiabg2da9iaadggadaahaaWcbeqaaiaa dsgadaWgaaadbaGaamOBaaqabaaaaOGaeyyXICTaamyyamaaCaaale qabaGaamizamaaBaaameaacaWGUbGaeyOeI0IaaGymaaqabaaaaOGa aiOlaiaac6cacaGGUaGaaiOlaiaadggadaahaaWcbeqaaiaadsgada WgaaadbaGaaGymaaqabaaaaOWaaeWaaeaaciGGTbGaai4Baiaacsga caWGWbaacaGLOaGaayzkaaaaaa@50A2@

Due to (2) and initial condition x0, the equation is

x n =[ x n / ( x n1 a Tn ) ][ x n1 / ( x n2 a Tn1 ) ].....[ x 1 / ( x 0 a T1 ) ]( modp ) = x n / ( x 0 a TnTn1.....T1 ) ( modp )= x n ( modp ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOabaeqabaGabmiEay aafaWaaSbaaSqaaiaad6gaaeqaaOGaeyypa0ZaamWaaeaadaWcgaqa aiaadIhadaWgaaWcbaGaamOBaaqabaaakeaadaqadaqaaiaadIhada WgaaWcbaGaamOBaiabgkHiTiaaigdaaeqaaOGaamyyamaaCaaaleqa baGaeyOeI0Iaamivaiaad6gaaaaakiaawIcacaGLPaaaaaaacaGLBb GaayzxaaWaamWaaeaadaWcgaqaaiaadIhadaWgaaWcbaGaamOBaiab gkHiTiaaigdaaeqaaaGcbaWaaeWaaeaacaWG4bWaaSbaaSqaaiaad6 gacqGHsislcaaIYaaabeaakiaadggadaahaaWcbeqaaiabgkHiTiaa dsfacaWGUbGaeyOeI0IaaGymaaaaaOGaayjkaiaawMcaaaaaaiaawU facaGLDbaacaGGUaGaaiOlaiaac6cacaGGUaGaaiOlamaadmaabaWa aSGbaeaacaWG4bWaaSbaaSqaaiaaigdaaeqaaaGcbaWaaeWaaeaaca WG4bWaaSbaaSqaaiaaicdaaeqaaOGaamyyamaaCaaaleqabaGaeyOe I0IaamivaiaaigdaaaaakiaawIcacaGLPaaaaaaacaGLBbGaayzxaa WaaeWaaeaaciGGTbGaai4BaiaacsgacaWGWbaacaGLOaGaayzkaaaa baGaeyypa0ZaaSGbaeaacaWG4bWaaSbaaSqaaiaad6gaaeqaaaGcba WaaeWaaeaacaWG4bWaaSbaaSqaaiaaicdaaeqaaOGaamyyamaaCaaa leqabaGaeyOeI0Iaamivaiaad6gacqGHsislcaWGubGaamOBaiabgk HiTiaaigdacqGHsislcaGGUaGaaiOlaiaac6cacaGGUaGaaiOlaiab gkHiTiaadsfacaaIXaaaaaGccaGLOaGaayzkaaaaamaabmaabaGaci yBaiaac+gacaGGKbGaamiCaaGaayjkaiaawMcaaiabg2da9iaadIha daWgaaWcbaGaamOBaaqabaGcdaqadaqaaiGac2gacaGGVbGaaiizai aadchaaiaawIcacaGLPaaaaaaa@90DB@

So e= h(xn, f)= h(xn, f) is verified.

During the state stamp, every state transferring φi apply the below equation to verify the validity of the stamp yi-1.

x i1 = a T T 1 T 2 ..... T i1 a y i1 ( j=1 i1 U j ) e ( modp )( i=2,3,...n ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiqadIhagaqbam aaBaaaleaacaWGPbGaeyOeI0IaaGymaaqabaGccqGH9aqpcaWGHbWa aWbaaSqabeaacaWGubGaeyOeI0IaamivamaaBaaameaacaaIXaaabe aaliabgkHiTiaadsfadaWgaaadbaGaaGOmaaqabaWccaGGUaGaaiOl aiaac6cacaGGUaGaaiOlaiaadsfadaWgaaadbaGaamyAaiabgkHiTi aaigdaaeqaaaaakiabgwSixlaadggadaahaaWcbeqaaiaadMhadaWg aaadbaGaamyAaiabgkHiTiaaigdaaeqaaaaakmaabmaabaWaaebmae aacaWGvbWaaSbaaSqaaiaadQgaaeqaaaqaaiaadQgacqGH9aqpcaaI XaaabaGaamyAaiabgkHiTiaaigdaa0Gaey4dIunaaOGaayjkaiaawM caamaaCaaaleqabaGaamyzaaaakmaabmaabaGaciyBaiaac+gacaGG KbGaamiCaaGaayjkaiaawMcaamaabmaabaGaamyAaiabg2da9iaaik dacaGGSaGaaG4maiaacYcacaGGUaGaaiOlaiaac6cacaWGUbaacaGL OaGaayzkaaaaaa@6D2C@ (5)

The validation is to judge whether or not xi-1’ = xi-1 comes into existence. In fact (4) is a special example of (5). Similarly, the validation can be capable of proof.

x i1 = a T T 1 T 2 ..... T i1 a y i1 ( j=1 i1 U j ) e ( modp )= a T T 1 T 2 ..... T i1 a r i1 a r i2 .... a r 1 = x i1 MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiqadIhagaqbam aaBaaaleaacaWGPbGaeyOeI0IaaGymaaqabaGccqGH9aqpcaWGHbWa aWbaaSqabeaacaWGubGaeyOeI0IaamivamaaBaaameaacaaIXaaabe aaliabgkHiTiaadsfadaWgaaadbaGaaGOmaaqabaWccaGGUaGaaiOl aiaac6cacaGGUaGaaiOlaiaadsfadaWgaaadbaGaamyAaiabgkHiTi aaigdaaeqaaaaakiabgwSixlaadggadaahaaWcbeqaaiaadMhadaWg aaadbaGaamyAaiabgkHiTiaaigdaaeqaaaaakmaabmaabaWaaebmae aacaWGvbWaaSbaaSqaaiaadQgaaeqaaaqaaiaadQgacqGH9aqpcaaI XaaabaGaamyAaiabgkHiTiaaigdaa0Gaey4dIunaaOGaayjkaiaawM caamaaCaaaleqabaGaamyzaaaakmaabmaabaGaciyBaiaac+gacaGG KbGaamiCaaGaayjkaiaawMcaaiabg2da9iaadggadaahaaWcbeqaai aadsfacqGHsislcaWGubWaaSbaaWqaaiaaigdaaeqaaSGaeyOeI0Ia amivamaaBaaameaacaaIYaaabeaaliaac6cacaGGUaGaaiOlaiaac6 cacaGGUaGaamivamaaBaaameaacaWGPbGaeyOeI0IaaGymaaqabaaa aOGaeyyXICTaamyyamaaCaaaleqabaGaamOCamaaBaaameaacaWGPb GaeyOeI0IaaGymaaqabaaaaOGaeyyXICTaamyyamaaCaaaleqabaGa amOCamaaBaaameaacaWGPbGaeyOeI0IaaGOmaaqabaaaaOGaaiOlai aac6cacaGGUaGaaiOlaiabgwSixlaadggadaahaaWcbeqaaiaadkha daWgaaadbaGaaGymaaqabaaaaOGaeyypa0JaamiEamaaBaaaleaaca WGPbGaeyOeI0IaaGymaaqabaaaaa@8E68@

During the state stamp, the verification is considered that the group state stamp mentioned above is correct.

Analyzing the security of the trusted stamp protocol

Because a majority of calculation needed to produce a stamp can be finished in the phase of pretreatment and be

independent of massages that are ready to be stamped, the calculation can be processed in idles and not influence the stamping speed. For the same level of security, the stamp length based on Schnorr protocol is much shorter than other signature protocol.14 The security of the signature and authentication scheme is founded on the computational difficulty of the discrete logarithm. There is randomness influence on trusted operation caused by environment or components performance. Because of state stamping, it is easy to verify these trusted problems during system operation. It will not cause a particular trusted problem. However, intentional attack on the controller is the biggest risk of the trusted operation. The following analysis of the protocol is faced with trusted operation security under attack.

The security of exterior independence attack

The security of every single stamp is the same as the Schnorr’s.15 The attack on group stamp has the modes mentioned below. Under the mode a), b), c), d) and e) the computational difficulty is the equivalence of calculating discrete logarithm on GF(p).

  1. Anyone can obtain the value p, a and Ui. Someone tries to obtain Ki from Ui=a-Ki mod p. It is impossible to obtain the private key Ki that the attacker is directly started with generating the key.
  2. Someone tries to obtain Ki or random number di by Ui, xi, and yi.
  3. Someone tries to obtain Ki or random number di by the public information {f, e , yn} or {f, e, y} and the verification equation (5).
  4. An attacker may try to choose randomly an integer Ki and then solve di by the equation of calculating yi.
  5. The attacker has known x0, x1,… xi and tries to solve yi or has also known yi to solve di which are met the equation

x i = a T T 1 T 2 .... T i1 a y i ( j=1 i ( U j ) e ( mod p ) MathType@MTEF@5@5@+= feaagKart1ev2aaatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr 4rNCHbGeaGqkY=wjYJH8sqFD0xXdHaVhbbf9v8qqaqFr0xc9pk0xbb a9q8WqFfeaY=biLkVcLq=JHqpepeea0=as0Fb9pgeaYRXxe9vr0=vr 0=vqpWqaaeaabiGaciaacaqabeaadaqaaqaaaOqaaiaadIhadaWgaa WcbaGaamyAaaqabaGccqGH9aqpcaWGHbWaaWbaaSqabeaacaWGubGa eyOeI0IaamivamaaBaaameaacaaIXaaabeaaliabgkHiTiaadsfada WgaaadbaGaaGOmaaqabaWccaGGUaGaaiOlaiaac6cacaGGUaGaaiiv amaaBaaameaacaGGPbGaeyOeI0IaaGymaaqabaaaaOGaeyyXICTaai yyamaaCaaaleqabaGaaiyEamaaBaaameaacaGGPbaabeaaaaGccaGG OaWaaebmaeaadaqadaqaaiaadwfadaWgaaWcbaGaamOAaaqabaaaki aawIcacaGLPaaaaSqaaiaadQgacqGH9aqpcaaIXaaabaGaamyAaaqd cqGHpis1aOWaaWbaaSqabeaacaWGLbaaaOWaaeWaaeaaciGGTbGaai 4BaiaacsgaqaaaaaaaaaWdbiaacckacaWGWbaapaGaayjkaiaawMca aaaa@6026@ ,

who wants to make the whole group stamp met the verification equation by use of calculating a part of group stamps.

An attacker may try to personate or change φi under the condition of unknowing Ki. The method is that the history information of the stamping process is collected and then the current stamp information is calculated or personated by the history information. Because the time mark Ti is added to the scheme and different every time, it is different from history and current information. It means that xi of the same φi is different every time and e is different too. The history stamp yi cannot be utilized.

Analyzing the security of united attack

The united attack is that the obtained some stamps are united to solve other stamps of module group. It is not repeated here to the analysis of security similar exterior independence attack. If a part of stamps is united to forge one or several stamps, they need one or several Ki. The condition is impossible as above. If k stamps are united to forge h stamps of φi (k+hn) and make the group stamp valid to the verification during the state stamping, the verification equation needs to be met. They also face the computational problem of the discrete

logarithm. The replace attack is a kind of forging attack that has much dangerous. Because the security of φi’s stamp is the equivalence of Schnorr’s protocol, the replace attack is invalidated in the scheme of the paper.

It can be summed up the discussion that it is secure to the group stamp based on the computational difficulty of the discrete logarithm. According to the conclusion proved by the theory of computational complexity, 2t is the difficulty of breaking the protocol (the probability is 2-t, and Schnorr suggested t≥72).14,16 The attacker can calculate for several years to forge a stamp.14,15,17 But time mark is added into the scheme and enhanced the capability of anti-attack. In the state stamp, every module verifies the previous stamp and then stamping after the verification is correct. So the capability of anti-attack is enhanced further.

Conclusion

We have built a prototype system to verify the operation of the protocol. A desk computer connects the controller with the interface of input/output and optical network. The control verification system is carried out on a computer, Intel® Core™ i3 M530 Processor, 2.53GHz, 4GB RAM. The system generates a key pair and sent to package in PI. The verification algorithm modules receive the PO packages and perform the verification on the computer. The controller is chosen ZC-300 PLC based on LOONGSON 1A.18 The state stamping calculation is embedded in the PLC. The computer sends out input driving at the input port of the controller. Each state transferring of the controller is stamped on the controller. Finally, the computer accepts the output result and the verification module verifies the stamps. For accumulative total about 10000 state transferring, the calculating speed of the stamping and the verification is at most the microsecond order of magnitude or faster. The millisecond-level control is enough to deal with at launch sites. With the controller performance improvement, the application of this protocol has a larger capacity. The research identifies the elements of a trusted autonomous operation based on the control system model in the paper.

The key to the elements is the credibility of the state transferring. We create a guarantee mechanism for trusted operation on the autonomous control system and design the trusted stamp and the verification protocol. By constructing the control system model, the trusted state migration is determined by the model. We design to ensure the trustworthiness of the state migration, so as to obtain the credibility of the autonomous system. The trusted state transferring ensures the autonomous system trusted operation. In the next step, the actual algorithm of state stamp and verification will be optimized. Although theoretical and prototype system is feasible, there are still many issues to be studied in engineering applications.

Acknowledgments

This work was funded by the project of General Technology on Test and Launch partially sponsored by the 973 program. We would like to thank Tsinghua’s Prof. Yu Liu who provided us with helpful suggestions and some research resources in the research.

Conflicts of interest

Authors declare that there is no conflict of interest.

References

  1. Xiao LT, et al. System Architecture and Construction Approach for Intelligent Space Launch Site. Advances in Intelligent Systems and Computing. 2019;856:397‒404.
  2. Xiao LT, Xiao N, Mengyuan L, et al. Intelligent Architecture and Hybrid Model of Ground and Launch System for Advanced Launch Site. IEEE Aerospace; 2019.
  3. Xiao LT, Li MY, Ming G, et al. PLC programs' checking method and strategy based on module state transfer. IEEE Int Conf Information and Automation; 2015. 702–706 p.
  4. Wang J, Shi Y, Peng G, et al. Survey on Key Technology Development and Application in Trusted Computing. China Communication. 2016;13(11):70‒90.
  5. Yudhi Biantoro, Ian Joseph ME. A literature review of service computing system trust. 2017 International Conference on Information Technology Systems and Innovation (ICITSI); 2017. 361‒366 p.
  6. Hiltunen J, Kuusijarvi J. Trust Metrics Based on a Trusted Network Element. 2015 IEEE Trustcom/BigDataSE/ISPA; 2015. 19‒35 p.
  7. Michael JB. Trusted Computing: An Elusive Goal. Computer. 2015;48(3):99‒101.
  8. Zhexiong W, Yu RF, Tang H, et al. Securing cognitive radio vehicular Ad hoc networks with trusted lightweight cloud computing. 2016 IEEE Conference on Communications and Network Security; 2016. 1‒10 p.
  9. Noorman J, Agten P, Daniels W, et al. Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. Usenix Conference on Security; 2013. 479‒494 p.
  10. Maene P, Gotzfried J, Clercq R, et al. Hardware-Based Trusted Computing Architectures for Isolation and Attestation. IEEE Transactions on Computers. 2018;67(3):361‒374.
  11. Rauter T, Höller A, Iber J, et al. Thingtegrity: A Scalable Trusted Computing Architecture for Resource Constrained Devices. International Conference on Embedded Wireless System & Networks; 2016. 23‒34 p.
  12. Morris T, Vaughn R, Dandass Y, et al. A retrofit network intrusion detection system for modbus RTU and ASCII industrial control systems. IEEE 45th Hawaii International Conference on System Sciences: Piscataway, NJ; 2012. 2338‒2345 p.
  13. Knowles W, Prince D, Hutchison D, et al. A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection. 2015;9:52‒80.
  14. Schnorr CP. Efficient Signature Generation for Smart Card. Journal of Cryptology. 1991;4(3):161‒174.
  15. Hwang SJ, Hwang MS, Tzeng F. A New Digital Multi-signature Scheme with Distinguished Signing Authorities. Journal of Information Science & Engineering. 2010;19(5):881‒887.
  16. Tahat N, Mustafa Z, Alomari AK. New ID-based digital signature scheme on factoring and discrete logarithms. Applied Mathematical Sciences. 2012;6(25-28):1363‒1369.
  17. Tuan HD, Nguyen HM, Tran CM, et al. Integrating Multi-signature Scheme into the Group Signature Protocol. International Conference on Advances in Information & Communication Technology; 2016. 294‒301 p.
  18. http://www.loongson.cn/product/cpu/1/Loongson1A.html
Creative Commons Attribution License

©2019 Xiao, et al. This is an open access article distributed under the terms of the, which permits unrestricted use, distribution, and build upon your work non-commercially.